From 28ac37d4b8b9580d4ad8be2c720fa9e4bffb7bfd Mon Sep 17 00:00:00 2001 From: wakefu Date: Fri, 10 Jul 2026 10:15:15 +0800 Subject: [PATCH 1/2] [INLONG-12156][Manager] Add verification of operator permissions during the creation and modification of tenant roles --- .../service/user/TenantRoleServiceImpl.java | 53 ++++++++++++++++--- 1 file changed, 47 insertions(+), 6 deletions(-) diff --git a/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java b/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java index 6b8f6acb672..a78d20c6139 100644 --- a/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java +++ b/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java @@ -84,6 +84,8 @@ public int save(TenantRoleRequest request, String operator) { Preconditions.expectNotBlank(request.getRoleCode(), "Failed to save tenant user role, role code should not be blank"); + checkTenantAdminPermission(operator, tenantName); + InlongTenantEntity tenant = tenantMapper.selectByName(tenantName); Preconditions.expectNotNull(tenant, TENANT_NOT_EXIST, String.format(TENANT_NOT_EXIST.getMessage(), tenantName)); @@ -100,6 +102,12 @@ public boolean update(TenantRoleRequest request, String operator) { Preconditions.expectNotNull(exist, ErrorCodeEnum.RECORD_NOT_FOUND, String.format("tenant user role record not found by id=%s", request.getId())); + checkTenantAdminPermission(operator, exist.getTenant()); + if (request.getTenant() != null && !request.getTenant().equals(exist.getTenant())) { + throw new BusinessException(ErrorCodeEnum.PERMISSION_REQUIRED, + "tenant of a tenant-role binding cannot be changed during update"); + } + TenantUserRoleEntity entity = CommonBeanUtils.copyProperties(request, TenantUserRoleEntity::new); entity.setModifier(operator); int rowCount = tenantUserRoleEntityMapper.updateById(entity); @@ -112,6 +120,31 @@ public boolean update(TenantRoleRequest request, String operator) { return true; } + private void checkTenantAdminPermission(String operator, String tenant) { + if (operator == null || tenant == null) { + throw new BusinessException(ErrorCodeEnum.PERMISSION_REQUIRED, + "operator or tenant cannot be null when checking tenant admin permission"); + } + // Inlong-level admins/services bypass per-tenant checks by design. + InlongRoleInfo inlongRole = inlongRoleService.getByUsername(operator); + if (inlongRole != null && inlongRole.getRoleCode() != null) { + String code = inlongRole.getRoleCode(); + if (UserRoleCode.INLONG_ADMIN.equals(code) || UserRoleCode.INLONG_SERVICE.equals(code)) { + return; + } + } + TenantUserRoleEntity roleEntity = + tenantUserRoleEntityMapper.selectByUsernameAndTenant(operator, tenant); + if (roleEntity == null + || Integer.valueOf(1).equals(roleEntity.getDisabled()) + || !UserRoleCode.TENANT_ADMIN.equals(roleEntity.getRoleCode())) { + throw new BusinessException(ErrorCodeEnum.PERMISSION_REQUIRED, + String.format( + "current user [%s] is not a TENANT_ADMIN of tenant [%s]", + operator, tenant)); + } + } + @Override public TenantRoleInfo get(int id) { TenantUserRoleEntity entity = tenantUserRoleEntityMapper.selectById(id); @@ -149,12 +182,20 @@ public Boolean delete(Integer id) { @Override public Integer saveDefault(String username, String operator) { - // make default public tenant permission - TenantRoleRequest tenantRoleRequest = new TenantRoleRequest(); - tenantRoleRequest.setTenant(DEFAULT_TENANT); - tenantRoleRequest.setRoleCode(UserRoleCode.TENANT_OPERATOR); - tenantRoleRequest.setUsername(username); - return this.save(tenantRoleRequest, operator); + Preconditions.expectNotBlank(username, "username should not be blank"); + InlongTenantEntity tenant = tenantMapper.selectByName(DEFAULT_TENANT); + Preconditions.expectNotNull(tenant, TENANT_NOT_EXIST, + String.format(TENANT_NOT_EXIST.getMessage(), DEFAULT_TENANT)); + + TenantUserRoleEntity entity = new TenantUserRoleEntity(); + entity.setUsername(username); + entity.setTenant(DEFAULT_TENANT); + entity.setRoleCode(UserRoleCode.TENANT_OPERATOR); + entity.setDisabled(0); + entity.setCreator(operator); + entity.setModifier(operator); + tenantUserRoleEntityMapper.insert(entity); + return entity.getId(); } } From 8b4d7bbff1a122ebe85804f981de4da4f9789924 Mon Sep 17 00:00:00 2001 From: wakefu Date: Fri, 10 Jul 2026 10:23:54 +0800 Subject: [PATCH 2/2] [INLONG-12156][Manager] Add verification of operator permissions during the creation and modification of tenant roles --- .../inlong/manager/service/user/TenantRoleServiceImpl.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java b/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java index a78d20c6139..c5461c4fa22 100644 --- a/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java +++ b/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/user/TenantRoleServiceImpl.java @@ -174,6 +174,10 @@ public List listTenantByUsername(String username) { public Boolean delete(Integer id) { String operator = LoginUserUtils.getLoginUser().getName(); log.info("begin to delete inlong tenant role id={} by user={}", id, operator); + TenantUserRoleEntity exist = tenantUserRoleEntityMapper.selectById(id); + Preconditions.expectNotNull(exist, ErrorCodeEnum.RECORD_NOT_FOUND, + String.format("tenant user role record not found by id=%s", id)); + checkTenantAdminPermission(operator, exist.getTenant()); int success = tenantUserRoleEntityMapper.deleteById(id); Preconditions.expectTrue(success == 1, "delete tenant role failed"); log.info("success delete inlong tenant role id={} by user={}", id, operator);